Risk management firm Kroll issued a notice to clients today regarding the latest ransomware cyberattack that hit computers across Europe earlier this week and has since spread to supply chains in more than 60 countries, hitting factories, port operations and hampering the delivery of goods around the world, alerting them to the fact that systems could still be at risk from other threats that exploit several underlying Microsoft Windows vulnerabilities.
“Very much like WannaCry, Petya encrypts the victim’s hard drive and ostensibly demands a ransom of US$300 to be paid in the virtual currency bitcoin. However, Petya is proving to be more sophisticated than WannaCry in terms of scope, ability to be neutralized, and apparently, the motivation behind its launch,” Kroll’s advisory states.
“Notably, this attack spread rapidly within organizations in part by using common IT administrator tools, which are not recognized as malware by traditional security defenses. It may have also leveraged an intrusion at a third-party software vendor. Techniques like these, historically seen in targeted intrusions, are now moving into the mainstream.”
According to Kroll, the following are some key things companies should be aware of:
- Obsolete versions of Microsoft Windows continue to be particularly vulnerable. As we have seen with Petya, lightning can strike twice … or even three or four times. Don’t tempt fate. Unless you have a very specific reason for not doing so, take immediate steps today to move to updated and supported operating systems. If you cannot eliminate outdated, unpatched systems, consider segmenting your network to reduce the attack surface.
- Technically, an interesting development is that Petya propagated within organizations using two common Windows administrative tools, Windows Management Instrumentation Command-line (WMIC) and PsExec. While the use of these and other “non-malicious” tools by intruders to quietly move within networks is not new, their use in such a widespread and automated attack is novel. This knowledge underscores the value of implementing modern threat detection and response solutions, and leveraging trained staff or trusted external partners to more rapidly identify and contain this type of attack.
- Organizations should recognize the very real risk posed by third parties, such as vendors, service providers, etc. At a minimum, review all your vendor risk management processes and institute controls that mitigate potential vulnerabilities.
- We cannot emphasize enough the need for backup and recovery plans that are designed with your specific business continuity needs in mind. Ensure that critical data and programs are backed up in a way that will enable recovery in the face of many types of cyber attacks.
- Finally, consider acquiring cyber insurance policies to mitigate potential losses.
Kroll notes that not only is there is no effective “kill switch” for the latest modified version of the Petya virus, the potential to recover data by paying the ransom has been compromised as well.
The low dollar amount of the initial ransom combined with the cyber criminal’s current inability to be contacted has fueled speculation over the actual purpose of the attack. The Verge has suggested that “the program’s creators had no intention of restoring the machines at all. In fact, a new analysis reveals they couldn’t; the virus was designed to wipe computers outright.”
Irrespective of the motives and ultimate objectives involved, Kroll warns clients that unless an independent “cure” can be found, encrypted data can only be retrieved from a backup copy.